i think my computer is infected

Question

MrMarth 0 Newbie Poster

18 Years Ago

Hi, im really glad im able to be able to get help about this stuff, if you can help me i'd greatly appreciate it.

Im running Windows 2000, i have microsoft anti-spyware for spyware removal, and Mcafee Real-time protection. I also have ad-aware, and i have spybot search and destroy. I thought my computer was pretty clean but i guess not. I've been running this combination for quite some time i havent had any problems. Now its become really bad... i have ad yieldmanager (i think thats what its called) popping up, and i did have the winfixer thing pop up. now my computer freezes. its weird. i can hear my computer stop whirring and it sounds like it just shuts down. then sometimes it'll "come back to life." sometimes when this freeze happens my screen will turn off come back on and then my computer will come up with this screen with a bunch of lines that are all chopped up. i cant do anything from that, and i'll have to restart it. i just downloaded hijack this... and i have been using mozilla firefox for quite some time. i thought i could keep my os pretty clean. but sometimes when i boot up, it says it cant detect my os, OR it'll say the following have been updated and it will tell me disk 4 is updated or something like that. My hijack this log is:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:07 AM, on 9/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\alan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Vitrite.lnk = C:\Program Files\Tiny Utilities\Vitrite\Vitrite.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122430014494
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

i do not know what any of this means and if i could have help i would be in great debt to you guys. Oh and another thing i wanted to add was, is there a way i can just wipe my harddrive and then there will be no viruses on it? thanks for all help on this, i really really really appreciate it. :confused:

windows-virus

2 Contributors
13 Replies
232 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by swatkat

All 13 Replies

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update".
After the update process, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

Download CleanUp! and install it. Run it and click "Options.." button. Here move the "Quick Setup" slider to "Thorough Cleanup" position. Uncheck the option "Delete Favorites Palces/Bookmarks", if you have any bookmarks. Click "OK" to return to main window, and click "CleanUp!" to start cleaning. After it completes, click "Close" and click "No" to avoid logging off.

Restart the PC.

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Yes, you can do those scans in Safe Mode itself. Performing those scans in Safe Mode yields better results :)

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Ok, we have to manually remove any "bad" files that may be present. Run CleanUp! and then run WinPFind and post it's log file. (please refer my previous post on usage instructions of CleanUp and WinPFind.)

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Delete these files:-
C:\Documents and Settings\alan\Application Data\tizhook.bin
C:\Documents and Settings\alan\Application Data\tizhook.vers
C:\Documents and Settings\alan\Application Data\tizinf.xml
C:\Documents and Settings\alan\Application Data\tizupd.bin

After this, perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan. and please post the same.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

MrMarth 0 Newbie Poster · Answer 1 · 2005-09-18T23:02:35+00:00

MrMarth 0 Newbie Poster

18 Years Ago

can no1 help me on this? is my computer screwed?

MrMarth 0 Newbie Poster · Answer 2 · 2005-09-19T00:44:16+00:00

:cry: please someone needs to help me!! :cry:

now my computer is having trouble booting. it wont turn on without just stopping... and then it stops and sits there and you cant do anything about it. :cry:

i can MAYBE get it into safemode, but from there what do i do? There is a slight chance i'd be able to get into regular mode, without it stopping for maybe, say, 10 minutes. This thing is really screwed up. I need help.

Im on my knees daniweb.

Please help me. :cry:

MrMarth 0 Newbie Poster · Answer 3 · 2005-09-19T01:24:21+00:00

thank you SO much, i'll post that right away. just as an fyi im on my safemode right now which is allowing me to be on the internet because i chose to do it with networking. im going to go do all that in safe mode right now. stop me if thats not what i should do

MrMarth 0 Newbie Poster · Answer 4 · 2005-09-19T02:04:58+00:00

*minor update*

so i've been in safe mode and i've gotten ewido. it did not give me a message that said data base not found, so i didn't click an ok button on a dialog box like that. i did retrieve the updates as i was told to do so and i did run the scan. but, when i got to about 81% (it said it found 56 objects) my computer stopped. i also did the quarantine them option and remove them and do this action for all of them when that box came up. so i had to just hit the power switch, went back into safe mode, ran the scan again. it did the same thing again. now im back doing it again posting this as it works on. right now its 81% again (coincendence?) and it has 56 objects found. hopefully the scan will complete and the computer wont "crap out." i'll be sure to follow the next steps when i can.

i'd just like to say that i feel like a total brat for asking for help, but i greatly appreciate that your taking your time to do this, and your having patience with me. thanks :cool:

MrMarth 0 Newbie Poster · Answer 5 · 2005-09-19T03:39:29+00:00

wow in a very impatient mood right now... my ****ing computer is not cooperating. this thing will turn off EVERYTIME i scan with ewido. gets to like 83.6 percent and boom ****ing stops working. *whew* ok anger aside... i am not liking microsoft right now and they're little bugs.

another thing i've gotten is sometimes when i finally get it to run in safemode, is that it turns to this blue screen that says that i have to fix software or hardware, and its something like the "stop problem"
it says to consult my manual which of course i dont have.

i cant run the ewido scan. everytime i run it my computer craps out before it finishes. what should i do now?

MrMarth 0 Newbie Poster · Answer 6 · 2005-09-20T01:37:02+00:00

got the ewido scan done FINALLY, moving on two part two and then part 3 very soon. thanks for waiting and checking up

MrMarth 0 Newbie Poster · Answer 7 · 2005-09-20T01:55:42+00:00

Good news! got all the scanning and cleaning done! bad news: to turn on my computer before i got all this done i had to smack the **** outta my PC for it to turn on. :cry: i know its abusive but i couldnt even get it on last night, i was like freaking out. anyways heres the winpfix.exe (sp?) log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 4    Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 6/10/2005 9:48:40 AM        58368      C:\WINNT\Unwash6.exe

Checking %System% folder...
PECompact2           9/8/2005 11:08:28 PM        1997664    C:\WINNT\SYSTEM32\MRT.exe
aspack               9/8/2005 11:08:28 PM        1997664    C:\WINNT\SYSTEM32\MRT.exe
Umonitor             6/19/2003 12:05:04 PM       529168     C:\WINNT\SYSTEM32\RASDLG.DLL
winsync              12/7/1999 8:00:00 AM        1309184    C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     9/13/2005 8:31:12 PM     H  54156      C:\WINNT\QTFont.qfn
                     9/19/2005 3:41:40 PM      S 64         C:\WINNT\CSC\00000001
                     9/19/2005 3:41:40 PM      S 64         C:\WINNT\CSC\00000002
                     9/19/2005 3:12:38 PM      S 64         C:\WINNT\CSC\csc1.tmp
                     7/26/2005 10:09:04 PM    H  0          C:\WINNT\inf\oem17.inf
                     9/18/2005 4:10:50 PM     H  1024       C:\WINNT\system32\config\default.LOG
                     9/19/2005 3:41:44 PM     H  1024       C:\WINNT\system32\config\SAM.LOG
                     9/19/2005 3:41:32 PM     H  1024       C:\WINNT\system32\config\SECURITY.LOG
                     9/19/2005 3:48:32 PM     H  1024       C:\WINNT\system32\config\software.LOG
                     9/18/2005 5:07:54 PM     H  6          C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          12/7/1999 8:00:00 AM        67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       301328     C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       237328     C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          10/30/2001 8:10:00 AM       326144     C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         12/6/2004 9:31:48 PM        49265      C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       90896      C:\WINNT\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 6:57:40 PM        323072     C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          6/19/2003 12:05:04 PM       125712     C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation                9/23/1999 6:44:36 PM        94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     4/8/2005 7:11:44 PM         1668       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA111 Configuration Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
                     9/17/2005 2:04:52 PM        770        C:\Documents and Settings\alan\Start Menu\Programs\Startup\OpenOffice.org 1.1.5.lnk
                     7/26/2005 7:33:00 PM        1483       C:\Documents and Settings\alan\Start Menu\Programs\Startup\Rainlendar.lnk
                     9/17/2005 9:49:08 PM        672        C:\Documents and Settings\alan\Start Menu\Programs\Startup\Vitrite.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     9/17/2005 2:04:52 PM        83         C:\Documents and Settings\alan\Application Data\sversion.ini
UPX!                 9/11/2005 8:12:48 PM        280064     C:\Documents and Settings\alan\Application Data\tizhook.bin
                     9/12/2005 8:13:42 PM        10         C:\Documents and Settings\alan\Application Data\tizhook.vers
                     9/12/2005 8:13:42 PM        24356      C:\Documents and Settings\alan\Application Data\tizinf.xml
                     9/11/2005 8:12:46 PM        138402     C:\Documents and Settings\alan\Application Data\tizupd.bin

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
    {23170F69-40C1-278A-1000-000100020000}   = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87}   = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87}   = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
    {23170F69-40C1-278A-1000-000100020000}   = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
    {cda2863e-2497-4c49-9b89-06840e070a87}   = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
     = %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
     = C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
     = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {8E718888-423F-11D2-876E-00A0C9082467}   = &Radio   : C:\WINNT\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText   = AIM  : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    Media Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
    {40D41A8B-D79B-43D7-99A7-9EE0F344C385} =    : 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Synchronization Manager mobsync.exe /logon
    ShStatEXE   "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    McAfeeUpdaterUI "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    gcasServ    "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    SunJavaUpdateSched  C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    MMTray  "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    AIM C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    CleanUp!    C:\PROGRA~1\CleanUp!\cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  149
    CDRAutoRun  0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINNT\system32\userinit.exe,
    Shell       = Explorer.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
     = wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/19/2005 3:49:23 PM

so uh does this mean it wont NOT turn on anymore and it wont suddenly freeze?

MrMarth 0 Newbie Poster · Answer 8 · 2005-09-26T04:36:41+00:00

ok here is the panda scan. :cool:

Incident Status Location

Adware:adware/savenow No disinfected Windows Registry

swatkat 14 Practically a Master Poster · Answer 9 · 2005-09-27T00:57:24+00:00

Hi,
Open a new file in NotePad and copy the contents of the below "Quote" box to NotePAd:-

Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave]
[-HKEY_CLASSES_ROOT\WUSN.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xtractor Plus_is1]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software]

Go to File Menu (in NotePad) > Save As and type the filename as Fix.REG and save the file. Exit from NotePad.

Double-click on this file and choose "Yes" to merge it to Registry.

Restart the PC, and please post back whether you get any pop-ups related to any spyware or not.

i think my computer is infected

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers